Double responses from PayPal - IP address investigation

[GoogleCodeExporter]

Following on from issue 321 (Double Order Confirmation emails) we need to 
conduct further IP address investigation.

We need to determine if we can block certain IP addresses to minimise this 
'shadowing' situation occurring.

The duplicated requests are made on two servers to attempt to complete the 
transaction.  The are made from two different IPs, within a few seconds of each 
other.

IP 1 
103.246.36.212
It appears to be a Blue Coat IP
http://www.bluecoat.com/

IP 2 155.144.40.32
It appears to be an Aust Post IP address

Example IIS logs for the duplicate situation:

App 01 ==========================================================

2012-11-08 21:00:15 10.1.47.130 GET /checkout/success 
o1=20121109630009&o2=20121109540010&o3=20121109290011&o4=20121109190012&o5=20121
109880013&o6=20121109980014&token=EC-4W444058YR067353A&PayerID=8WMRYD6C2TJ5L 80 
- 103.246.36.212 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.1;+.NET+CLR+2.0.5072
7;+.NET+CLR+1.1.4322;+MS-RTC+LM+8;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 
302 0 64 5750

2012-11-08 21:00:25 10.1.47.130 GET /checkout/complete 
o1=20121109630009&o2=20121109540010&o3=20121109290011&o4=20121109190012&o5=20121
109880013&o6=20121109980014 80 - 103.246.36.212 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.1;+.NET+CLR+2.0.5072
7;+.NET+CLR+1.1.4322;+MS-RTC+LM+8;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 
200 0 0 156

2012-11-08 21:01:02 10.1.47.130 GET /profile/order/20121109630009 - 80 - 
103.246.36.212 
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.1;+.NET+CLR+2.0.5072
7;+.NET+CLR+1.1.4322;+MS-RTC+LM+8;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 
302 0 0 31

App 02 ==========================================================

2012-11-08 21:00:04 10.1.47.131 GET /checkout/success 
o1=20121109630009&o2=20121109540010&o3=20121109290011&o4=20121109190012&o5=20121
109880013&o6=20121109980014&token=EC-4W444058YR067353A&PayerID=8WMRYD6C2TJ5L 80 
111 155.144.40.32 
Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.1+(KHTML,+like+Gecko)+Chrome/21.0.1
180.60+Safari/537.1 302 0 0 16171

2012-11-08 21:00:04 10.1.47.131 GET /checkout/complete 
o1=20121109630009&o2=20121109540010&o3=20121109290011&o4=20121109190012&o5=20121
109880013&o6=20121109980014 80 111 155.144.40.32 
Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.1+(KHTML,+like+Gecko)+Chrome/21.0.1
180.60+Safari/537.1 200 0 0 125

2012-11-08 21:00:41 10.1.47.131 GET /profile/order/20121109630009 - 80 111 
155.144.40.32 
Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.1+(KHTML,+like+Gecko)+Chrome/21.0.1
180.60+Safari/537.1 302 0 0 125

2012-11-08 21:00:41 10.1.47.131 GET /profile/order/20121109630009 - 443 111 
155.144.40.32 
Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.1+(KHTML,+like+Gecko)+Chrome/21.0.1
180.60+Safari/537.1 200 0 0 125

Original issue reported on code.google.com by Rob...@gmail.com on 23 Jan 2013 at 10:14

[GoogleCodeExporter]

Original comment by Rob...@gmail.com on 22 Feb 2013 at 6:08

• Added labels: Release-TBC
• Removed labels: Release-NA

[GoogleCodeExporter]

Although not directly part of a release, I haev assigned to 11.1 to give it 
better visibility and to allow it to be scheduled ahead of work for release 11.2

Original comment by Rob...@gmail.com on 5 Mar 2013 at 8:10

• Added labels: Release-11.1, ActionDate-TBC
• Removed labels: Release-TBC

[GoogleCodeExporter]

Will aim to provide IIS logs over a web accessible URL

Original comment by Hui....@gmail.com on 6 Mar 2013 at 12:38

• Changed state: 3-Progressing

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Removed coments with links to log file.

I have done some initial investigation and I agree with Roy that a regular 
'culprit' IP addresss is 103.246.36.212 (Blue Coat - http://www.bluecoat.com/).

I have contacted Blue Coat technical support to understand why this may be 
happening.  I am expecting a response in the next day or two.

Original comment by Rob...@gmail.com on 14 Mar 2013 at 12:57

• Added labels: Release-TBC, ActionDate-2013-03-22
• Removed labels: Release-11.1, ActionDate-TBC

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

We should block that address

Some more info on Blue Coat...

http://bluecoat.com 
inetnum:        103.246.36.0 - 103.246.39.255
netname:        BLUECOAT-CS-AP
descr:          420 N. Mary Avenue
country:        AU
admin-c:        DB381-AP
tech-c:         DB381-AP
status:         ASSIGNED PORTABLE
mnt-by:         APNIC-HM
mnt-routes:     MAINT-BLUECOAT-CS-AP
mnt-irt:        IRT-BLUECOAT-CS-AP
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:        hm-changed@apnic.net 20110705
source:         APNIC

role:           Daniel Bellazetin
address:        420 North Mary Avenue Sunnyvale, CA 94085-4121
country:        US
phone:          +018019992975
e-mail:         daniel.bellazetin@bluecoat.com
admin-c:        DB381-AP
tech-c:         DB381-AP
nic-hdl:        DB381-AP
mnt-by:         MAINT-BLUECOAT-CS-AP
changed:        hm-changed@apnic.net
source:         APNIC

Original comment by Hui....@gmail.com on 14 Mar 2013 at 1:01

[GoogleCodeExporter]

BP ticket 915314

I've also sent mail to bluecoat previously, and they denied that they have 
anything to do with it.

Original comment by Hui....@gmail.com on 14 Mar 2013 at 1:02

[GoogleCodeExporter]

I have emailed Roy and Miki the full list of /checkout/success logs entries and 
identified duplicates from the list.  
There is no consistent IP address that is the culprit.
We will need further investigation based on the logs.  
One specific question: how can we get a /checkout/success entry when there are 
blank parameters?  Is this a user 'cancelling' from PayPal?

Original comment by Rob...@gmail.com on 19 Mar 2013 at 10:03

[GoogleCodeExporter]

EMAILS FROM ROY.  THIS ISSUE CAN NOW BE CLOSED.

From: Roy Hui [mailto:hui.roy@gmail.com] 
Sent: Wednesday, 20 March, 2013 1:06 PM
To: Jonas, Robert
Cc: Brotzler, Miki
Subject: Re: Issue 428: duplicate paypal response

Hi guys,

We've investigated all the possible scenarios listed in the log, and confirm 
that we are handling all the possibilities.

Thanks
Roy

From: Roy Hui [mailto:hui.roy@gmail.com] 
Sent: Wednesday, 20 March, 2013 10:31 AM
To: Jonas, Robert
Cc: Brotzler, Miki
Subject: Re: Issue 428: duplicate paypal response

Hi Rob,

Anyone can access any URLs, so that means /success can be access without 
parameters, URLs can be access twice in a row, or 30 seconds apart.  
Understanding why is the important question, whether if it is a virus, a 
trojan, a keyboard logger, or legitimately, a proxy, a firewall, a proxy 
server, or even a telco.

I think as long as we don't have failed transactions because of this, we should 
be ok.

We will investigate and see if we can come up with anything else.

Cheers,
Roy

On Wed, Mar 20, 2013 at 10:18 AM, Jonas, Robert <Robert.Jonas@auspost.com.au> 
wrote:
Hi Roy,

I have supplied the data set of ‘checkout/success’ log entries – filtered 
to show duplicates.

There are some very strange entries in here:
•         How can I have a ‘/checkout/success’ with a “-“ parameter?
•         How can I have a replicated ‘/checkout/success’ with the same 
order parameters up to 30 seconds apart?
•         How can I have a replicated ‘/checkout/success’ from the same 
IP address?

Can your team please investigate so we can understand the situation (and also 
understand if FHD is appropriately handling the replicated situations)?

Cheers,
Rob

Original comment by Rob...@gmail.com on 20 Mar 2013 at 9:42

• Changed state: WontFix